CVE-2024-26622
📋 TL;DR
A use-after-free vulnerability in the Linux kernel's TOMOYO security module allows attackers with write access to the TOMOYO control interface to cause memory corruption. This can lead to kernel crashes or potential privilege escalation. Systems using TOMOYO security module with affected kernel versions are vulnerable.
💻 Affected Systems
- Linux kernel with TOMOYO security module
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic leading to system crash, or privilege escalation allowing full system compromise.
Likely Case
Kernel crash causing denial of service, or limited privilege escalation within the TOMOYO context.
If Mitigated
No impact if TOMOYO module is not loaded or access to /sys/kernel/security/tomoyo/ is restricted.
🎯 Exploit Status
Requires write access to TOMOYO control interface (/sys/kernel/security/tomoyo/). Exploitation requires understanding of kernel memory layout and timing.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in kernel commits: 2caa605079488da9601099fbda460cfc1702839f, 2f03fc340cac9ea1dc63cbf8c93dd2eb0f227815, 3bfe04c1273d30b866f4c7c238331ed3b08e5824, 6edefe1b6c29a9932f558a898968a9fcbeec5711, 7d930a4da17958f869ef679ee0e4a8729337affc
Vendor Advisory: https://git.kernel.org/stable/c/2caa605079488da9601099fbda460cfc1702839f
Restart Required: Yes
Instructions:
1. Update Linux kernel to version containing the fix. 2. Check with your distribution for specific patched kernel versions. 3. Reboot system after kernel update.
🔧 Temporary Workarounds
Disable TOMOYO module
linuxUnload TOMOYO security module if not required
rmmod tomoyo
Restrict access to TOMOYO interface
linuxChange permissions on TOMOYO control interface
chmod 600 /sys/kernel/security/tomoyo/*
🧯 If You Can't Patch
- Ensure TOMOYO module is not loaded (check with lsmod)
- Restrict access to /sys/kernel/security/tomoyo/ to root only
🔍 How to Verify
Check if Vulnerable:
Check if TOMOYO module is loaded: lsmod | grep tomoyo. If loaded, check kernel version against patched versions.Check Version:
uname -rVerify Fix Applied:
Verify kernel version includes fix commits or is newer than vulnerable versions. Check with: uname -r📡 Detection & Monitoring
Log Indicators:
- Kernel oops messages
- System crashes/reboots
- TOMOYO audit log anomalies
Network Indicators:
- None - local exploit only
SIEM Query:
Process accessing /sys/kernel/security/tomoyo/ with write operations from non-privileged users🔗 References
- https://git.kernel.org/stable/c/2caa605079488da9601099fbda460cfc1702839f
- https://git.kernel.org/stable/c/2f03fc340cac9ea1dc63cbf8c93dd2eb0f227815
- https://git.kernel.org/stable/c/3bfe04c1273d30b866f4c7c238331ed3b08e5824
- https://git.kernel.org/stable/c/6edefe1b6c29a9932f558a898968a9fcbeec5711
- https://git.kernel.org/stable/c/7d930a4da17958f869ef679ee0e4a8729337affc
- https://git.kernel.org/stable/c/a23ac1788e2c828c097119e9a3178f0b7e503fee
- https://git.kernel.org/stable/c/2caa605079488da9601099fbda460cfc1702839f
- https://git.kernel.org/stable/c/2f03fc340cac9ea1dc63cbf8c93dd2eb0f227815
- https://git.kernel.org/stable/c/3bfe04c1273d30b866f4c7c238331ed3b08e5824
- https://git.kernel.org/stable/c/6edefe1b6c29a9932f558a898968a9fcbeec5711
- https://git.kernel.org/stable/c/7d930a4da17958f869ef679ee0e4a8729337affc
- https://git.kernel.org/stable/c/a23ac1788e2c828c097119e9a3178f0b7e503fee
- https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IVVYSTEVMPYGF6GDSOD44MUXZXAZHOHB/
